Thursday, September 18, 2008

What’s important, Palin’s Yahoo Mail account hacked

That’s right, Alaska Governor and republican Vice-presidential candidate Sarah Palin's quasi-personal Yahoo Mail (gov.palin@yahoo.com) account was hacked into by the infamous group called “Anonymous”. While there are conflicting news reports on the incident’s authenticity - emails, screen shots, and family photos have been posted to Wikileaks as proof. If we assume the incident is real, there are so many ways a free WebMail account could be compromised – some more likely than others:

For myself and the rest of the InfoSec industry the “how” is interesting, but its unimportant for everyday users like our friends, family, coworkers, politicians, etc. What they need to know is WebMail compromises could happen to anyone - even if they do everything “right” because security is largely out of their hands or impossible to behave perfectly all the time. Mistakes happen and the more high profile of a person you are the higher the likelihood you will be targeted.

Bottom line: DO NOT receive or store anything you don’t want read or made public on these “free” WebMail systems. They are NOT private. They are NOT secure. They are NOT safe. The same goes for Google Docs, social network private messages, online backup solutions, whatever. What they are is FREE and CONVEINIENT. The businesses that support them are not accountable for your privacy, security, or lack thereof. Read their EULA or ToS if you don’t want to take my word for it.

14 comments:

In my opinion, free webmail accounts are -more- likely to be secure than a town or even small state's mail server. In a free webmail account -you- are the insecure link, for all the reasons you mention. But Yahoo's and Google's servers are more likely to be secure than a town or state's.

If you want to break into a yahoo account, do you start by portscanning yahoo? Or do you see if the user logs into it from a library, or has a silly password hint.

That said, they aren't private in the true-est term, as you say, because the data is out of your control and accessible by their employees, and can be turned over as they see fit.

What's surprising to me is not that it happened; it's why it hasn't happed before. I always go back to the old adage- where there’s Motive, Opportunity, and Means there tends to be crime. You covered the Means, we can all infer the opportunity (is there a bigger target than Yahoo?), but given the political climate there’s huge motive to go after all the politicians. Probably just an issue with the vetting process, how much do you want to bet both dems and republicans are adding to their vetting checklists for unknown candidates a) check for webmail accounts b) have candidate delete account c) or teach candidate hard password.

I won't comment on the security posture of free webmail accounts or private mail servers. What I will say is that folks attacking political campaigns through technology is becoming very interested. Moreover, the further usage of technology in these campaigns to reach target audiences is creating a pretty big attack surface.

Personally, I was thinking about three or four other ways that this campaign could be affected by attacks on other web vectors.

The problem was, by far, not the quality of questions for password reset. The problem was a combination of:

1) If a user answers the password reset question correctly, and the user has no secondary email account attached to their yahoo account, the user is automatically authenticated2) Palin did not have a secondary email address attached to her Yahoo account3) Once the attacker answered Palin's foolishly simple forget-password security questions, they were immediately granted access to the account

Jim, no secondary email address is a common scenario on Yahoo mail. Since its one of the first free web mail systems back from the early web, this was/is the only email address people have. They just don't think to add in a secondary after initial registration.

Jeremiah: Fair enough. I say boo to Yahoo. At the very least, the user should be given a warning during registration time. All ISP's offer free email that could be used for the secondary email. I'm sure you will agree that the combination of password-reset-auto-authentication and weak security questions is a recipe for disaster. I agree 100% with your opinion that free webmail is not safe. At the very least, stronger questions could have stopped this hack.

Unfortunately, most people don't have any other option. Your average user cannot configure a mail client, let alone configure their own mail server. ISP email accounts use webmail. Users need to be educated that password hint questions should never be answered properly. You must lie or put in random garbage.

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!